15.1 Latest Release Information

This document is accurate at the time of publication. Oracle will update the release notes periodically after the software release. You can access the latest information and additions to these release notes on the Oracle Technology Network at:

http://www.oracle.com/technology/documentation/

15.2 What's New in Oracle Role Manager

The following sections discuss what's new in Oracle Role Manager release 10.1.4.2:

15.2.2 New Features and Enhancements

15.2.2.1 Usability

This release includes many usability enhancements to the Oracle Role Manager user interface for an improved end-user experience. These include the following:

Audit history details now display workflow events as well as dynamic role membership audit events.

The Outbox now displays workflow events.

The system now detects whether the Integration Library is installed and the user experience is affected as follows:

Entitlement data from Oracle Identity Manager now displays if the Integration Library is installed. If the Integration Library is not installed, no entitlement data from Oracle Identity Manager is displayed.

Person fields and entitlement fields display as read-only if the Integration Library is installed, so that Oracle Identity Manager remains the system of record for person and entitlement data. If the Integration Library is not installed, person fields and entitlement fields are editable fields.

15.2.2.2 Installation

The Oracle Role Manager installation now includes the Oracle Role Manager Integration Library software for easier deployments. In addition, for deployments of the Integration Library on Oracle WebLogic Server, a new tool is provided in this release for facilitate easier configuration.

15.2.2.3 Integration Library

The Integration Library has been enhanced with new functionality supporting role grant approval workflow and reconciliation of entitlements and IT Roles (as access policies in Oracle Identity Manager). Additionally, there are now new scheduled tasks for one-time import of entitlements, user groups, and access policies. See Oracle Role Manager Integration Guide for details.

15.2.2.4 Upgrade

This release now supports upgrade from Oracle Role Manager 10.1.4.1 and Oracle Role Manager 10.1.4.1.1.

15.2.3 Application Data Model Changes

This release contains changes to the application data model as described in the following table.

Table 15-1 Application Data Model Changes

Model

Description of Change

primordial.xml

The auditStatus domain definition has three new enum constraint values: submitted, approved, and rejected.

The approverType domain definition has been added and is an attribute in the businessRole structural type definition.

The email domain definition has been moved from abstractIdentity to person in the standard model.

The word "privilege" in all titles and messages, when referring to IT privileges, has been changed to "entitlement."

standard.xml

The email definition is now an attribute on the person type and the pattern constraint has been removed.

The oimEntitlementId domain definition has been added and is an attribute in the itPrivilege structural type definition.

The resourceName domain definition has been added and is an attribute in the itPrivilege structural type definition.

A new reference attribute (relationship path) that relates approver to approver business roles has been added to the businessRole structural type definition.

oim_integration.xml

The oimUserGroupId domain definition integer scale value has changed from 10 to 19 and has been added as an attribute to itRole and businessRole structural type definitions with a uniqueness constraint.

The oimAccessPolicyId domain definition integer scale value has changed from 10 to 19.

The oimManagerKey domain definition has been removed.

A uniqueness constraint has been added to the oimAccessPolicyId attribute in the itRole structural type definition.

15.2.4 Java API Changes

This section discusses the following changes to the Oracle Role Manager Java API related to the new features and enhancements for this release:

15.3.3 Databases

Oracle Role Manager release 10.1.4.2 is certified for the following databases:

Oracle Database Deployment

Oracle Database 10g Enterprise Edition release 10.2.0.4 to 10.2.x

Oracle Database 10g Standard Edition release 10.2.0.4 to 10.2.x

Oracle Database 11g Standard Edition release 11.1.0.6 to 11.1.0.x

Oracle Database 11g Enterprise Edition release 11.1.0.6 to 11.1.0.x

Oracle RAC Deployment (general purpose operation)

Oracle Database 10g Enterprise Edition release 10.2.0.4 to 10.2.x

Oracle Database 11g Enterprise Edition release 11.1.0.6 to 11.1.0.x

15.3.4 Certified JDKs

For each certified application server, Oracle Role Manager release 10.1.4.2 is certified for the JDKs listed in Table 15-3.

Table 15-3 Certified JDKs

Application Server

Certified JDK

Oracle WebLogic Server

Oracle JRockit 6.0 (R27.6.0-50)

Note: For 64-bit systems, the JDK must be the 64-bit version of JRockit, not the version that is installed with WebLogic Server. For information about installing the 64-bit JDK, refer to WebLogic Server 10.3 Installation Guide.

15.3.7 Languages

Oracle Role Manager release 10.1.4.2 is certified for the following language:

English (en_US locale only)

15.3.8 Web Browsers

Oracle Role Manager release 10.1.4.2 is certified for the following Web browsers:

Microsoft Internet Explorer 6.0 (SP2)

Microsoft Internet Explorer 7.0

15.4 Fixes in This Release

Oracle Role Manager release 10.1.4.2 resolves the known bugs from previous releases listed in the following table.

Table 15-5 Bugs Resolved by 10.1.4.2

Bug #

Description

6949154

Auditing: Dynamic membership updates are not audited. Changes to a user's memberships based on dynamic roles (resolved by membership rules or grant policies) are not stored with audit data.

6949255

System Messages: System should provide useful warning for syntactically incorrect XML rule. The system does not issue a user-friendly message if a syntactically incorrect membership rule is given in the role grant policy or membership rule. Instead, a generic "setMembershipRule failed" error displays.

7043245

Integration Library: Exception in Oracle Identity Manager server console when creating user. The message can be ignored. User creation is successful, both in Oracle Identity Manager and in Oracle Role Manager

7529678

Search: SELECT query returns deleted objects. A SELECT query run on the database using the Oracle Role Manager tjdbc driver returns deleted objects. This can affect reports but has no affect on the Oracle Role Manager user interface.

7718897

Server: CSV file parsing errors during data load. The strings defined as field delimiters in the load script for different object types are inconsistent. All objects types use the carat (^) as a delimiter except organization object types, which are set to use the single quote ('). This can result in CSV file parsing errors.

Integration Library: Deploying on UNIX-based systems requires renaming of directory to ensure successful role reconciliation. Role reconciliation fails on case-sensitive UNIX-based systems because the message from Integration Library is looking for the pluginConfigDir directory instead of the pluginConfigdir directory (note the lowercase d).

15.5 Known Problems

This section describes known problems for Oracle Role Manager release 10.1.4.x. If a suitable workaround exists for a known problem, it is listed with the description of the bug to provide a temporary solution.

15.5.2.1 User has no indication why the Delete option is disabled for organizations with child entities

The relationship between organization type objects and their child entities (other organization types, roles, and people) is restrictive, which means if the organization has active relationships with child entities, the organization cannot be deleted. Therefore, the Delete option on the context menu is disabled but the user is given no indication about why it is disabled.

15.5.2.2 Wrapping of data fails

System fails to wrap data with a large number of characters in multiple places in the application.

15.5.2.3 Context menu continues to display when a user selects another transaction

System displays the context menu in left hand pane even when the user has selected to perform another transaction, until the user either clicks another primary or secondary menu item or refreshes the context menu.

15.5.2.4 Unnecessary scroll bar on tabbed pages

In resolution 1600 x 1200 or smaller, the horizontal scroll bar always appears for all the tabs at the bottom content frame (Attributes, Members, Privileges, Mappings and History).

15.5.2.5 Hierarchy bread crumbs update only on submit and reload of the page

When a person's location in any of the hierarchies changes, the hierarchy path bread crumb does not change unless submit and reload actions are performed.

15.5.2.6 Tree view requires refresh to reflect recent updates

The user must refresh the tree after performing a transaction that creates or updates tree members to reflect those changes in the tree view. This is only an issue if a node is created directly under the root node or for operations performed in other user sessions.

15.5.2.7 Timestamp value does not always match user's locale in role mapping details

When viewing role mapping details, the user may see local time in some and GMT in others. The timestamp format should always match the user's locale.

15.5.2.8 Submit button appears functional to users without appropriate sphere of control to edit role

When a user is granted a system role with system privilege, "All for System Role Objects," where the role grant sphere of control is set to ORG_A, but that system role is defined with sphere of control set to ORG_B, if the user navigates to roles in ORG_B, edits appear to be allowed. However, when the user clicks the Submit button and then returns to the "edited" role, no changes have been made.

15.5.2.9 Cannot change sphere of control while creating a new role if user switches tab focus

While creating a system role, if the user navigates to another tab in the application, when returning to the Attributes tab and sets sphere of control, the error "Cannot change the SOC hierarchy type of a role" displays. The workaround is to cancel the operation and start over, setting sphere of control before navigating to another tab.

15.5.3 Installation

This section describes known bugs related to installation and contains the following topics.

System fails to roll back the previous configuration and displays an exception on retrying the configuration. The workaround is to exit and restart the installer and uninstall the recent installation home, drop and re-create the users/schemas for Oracle Role Manager, then run the installer to install and configure Oracle Role Manager.

15.5.3.2 Installer intermittently skips screens when the user goes back to previous screen

If this occurs, the workaround is to navigate all the way back to the File Location Page, which forces the installer to restart the interview phase and display all screens.

15.5.3.3 System displays the file copy progress as 92% on completion instead of 100% while running the silent installer

While running the installer in silent mode, the file copy progress is displayed as 92% instead of 100%.

15.5.3.4 In clustered environments, managed server fails to start after configuring WebLogic using the provided template

When attempting to start the managed server for Oracle Role Manager, the following exception message displays in the application server console:

This occurs because a permission is missing from the template file used to configure WebLogic for Oracle Role Manager in clustered environments. The workaround is to assign the ormserver user to the Administrators group using the WebLogic Administrative Console, and then restart all servers.

15.5.3.5 Oracle Role Manager runInstaller fails to install on SUSE 10

To install Oracle Role Manager successfully on SUSE 10, run the installer with the option to ignore pre-reqs:

./runInstaller -ignoreSysPrereqs

15.5.4 Integration Library

This section describes known bugs of the Oracle Role Manager Integration Library with Oracle Identity Manager and contains the following topic:

15.5.4.1 Sequence in which records are reconciled from Oracle Identity Manager affects creation of relationships between person records

Suppose the person records of a user and the user's manager are created in Oracle Role Manager during reconciliation with Oracle Identity Manager. You then delete the manager's person record through the Oracle Role Manager user interface. During the scheduled user reconciliation (Quick or Full) after the manager's person record is deleted, although the manager's person record is re-created in Oracle Role Manager, the manager's person record might not be associated with the user's person record. By the end of the next scheduled user reconciliation (Quick or Full), the manager's person record is associated with the user's reconciliation run.

The recommended workaround is to use the Resource Management component of the Oracle Administrative and User Console to create and then run a scheduled task with a task name of RoleManagerUserGroupsCleanup1 and class name of oracle.iam.rm.imframework.scheduledTasks.ScheduledUserGroupsCleanup.

15.5.4.3 Static business roles with the same name not created properly in Oracle Identity Manager

If more than one static business role share the same name and are sent to Oracle Identity Manager during in the same run of the BusinessRolePublishing process, the Integration Library creates the first user group of that name, but fails to create the others. In this case, the Integration Library throws the error "duplication user group" in the Oracle Identity Manager application server console.

The workaround is to run the BusinessRolePublishing process again to create the second user group of that name (ORM_BR_name~1), and again for the third (ORM_BR_name~2), and so forth.

15.5.4.4 OIM-setup.sh and ORM-setup.sh scripts does not run on SUSE 10 machine

To execute OIM-setup.sh successfully, you must ensure that the following prerequisites are met:

For Oracle Identity Manager:

Remove ^M character in:

ORMINT_HOME/tools/WebLogic_Automation/oim-setup.sh

and

ORMINT_HOME/tools/WebLogicAutomation/properties/OIMConfig.properties.This is done by executing either dos2unix, for example, dos2unix oim-setup.sh or the following shell commands:

sed 's/^M//g' oim-setup.sh > oim-setup-temp.sh

mv oim-setup-temp.sh oim-setup.sh

Note:

Character '^M' is entered as 'ctl-V' and 'ctl-M'.

Execute Step 1 and Step 2 for OIMConfig.properties file.

For Oracle Role Manager:

Remove ^M character in:

ORMINT_HOME/tools/WebLogic_Automation/orm-setup.sh

and

ORMINT_HOME/tools/WebLogicAutomation/properties/ORMConfig.properties.This is done by executing either dos2unix, for example, dos2unix oim-setup.sh or the following shell commands:

sed 's/^M//g' oim-setup.sh > orm-setup-temp.sh

mv orm-setup-temp.sh orm-setup.sh

Note:

Characters '^M' is entered as 'ctl-V' and 'ctl-M'.

Execute Step 1and Step 2 for ORMConfig.properties file.

15.5.5 Search

This section describes known bugs around the search functionality and behavior and contains the following topics:

15.5.5.2 Search results fail to refresh in pop-up windows

Search attributes and operators appear to be sorted in random order in the search menu on search pages. Sort order should be alphabetical and non-case-insensitive.

15.5.5.4 Search operator should be retained when selecting a different search attribute.

When the user searches by first name using the begins with operator and later searches by a different attribute, the operator refreshes to contains, the default operator.

15.5.5.5 Misleading message when user attempts empty wildcard search

When the user searches on a blank value, the message "Full wildcard search is not supported" displays, which is a misleading statement. Full wildcard searches can be performed by entering the percent symbol (%) in the field to search.

15.5.6 Server

This section describes known server bugs and contains the following topics:

When the specified field delimiter character is present in the data to be loaded, the data loader fails. There is not currently a means by which an escape character can be provided to allow the special character to be treated as "loadable" data.

The recommendation is to make sure the field delimiter for all object types is a character that is not contained in your data set. The delimiter is set in the file parsing scripts. For information about the file parsing scripts see Oracle Role Manager Administrator's Guide.

15.5.6.2 System allows the System Administrator system role to be deleted or made inactive

Important grants are allowed to be removed. The recommended workaround is to use the procedures described in the Oracle Role Manager Administrator's Guide to restore the System Administrator system user.

15.5.6.3 J2EE EJB method invocation may time out and roll back if batch role resolution takes longer than specified time

EJB method invocation has a timeout associated with it so that no matter how many retries might take place, the batch role membership does not complete.

For JBoss, in the jboss.xml file, add configuration of the following to the TimerCommandEJB configuration:

15.5.6.4 Oracle RAC support lacks certification for high availability scenarios

The Oracle Role Manager supports Oracle RAC database environments for general purpose operation only. High-availability scenarios, such as load balancing and failover, are not officially supported.

15.5.6.5 Bulk loading of large data set with Sun JDK throws errors

When deploying large data sets on Oracle Role Manager configured with the Sun JDK, the error "java.lang.OutOfMemoryError: Java heap space" might display. This is caused by either not enough JVM memory set in JAVA_OPTIONS, not enough physical memory on the host, or both.

For more information about increasing the JVM memory settings, see Oracle Role Manager Installation Guide.

If a customized CAR bundle contains already deployed but unchanged versioned XML files, the CAR file cannot be deployed. One workaround is to make sure that customizations are bundled separately, for example, the CAR file to deploy contains only the changed XML files.

Another workaround is to separate the versioned files (standard.xml, standard_permissions.xml, oim_integration.xml in oracle.iam.rm.temporal, and any XML that contains customized application data model extensions) from the component configuration XML files. This workaround allows redeploy of configuration without having to create separate CAR files. Note that redeploying the versioned files requires incrementing the version each time the CAR is changed and redeployed.

15.5.6.7 Web sessions on clustered JBoss environments may not failover where messages are waiting to display

Due to a Java Server Faces bug, there is a small chance that a user session might be lost when replicating a user session during an application server failover event. This issue only occurs when a user performs create, delete, or update actions in the Web application and a message instance inside the session is not yet visible in the user interface. In this rare situation, a JBossCacheService exception (java.io.NotSerializableException) displays in the log file and can be ignored.

15.5.6.8 Problems when the database server and the application server are set to different times

When the database server and the application server are set to different times, there can be problems deploying the Oracle Role Manager server to the application server. There can also be problems related to setting transaction time for operations submitted from the Oracle Role Manager Web application.

When starting the primary node on JBoss, some WARN exceptions display in the application server console. This is because JBoss happens to load the finalization-server.ear before its dependencies, such as the JMS resources and the server.ear EJBs. These error conditions recover when the dependencies are subsequently loaded, so the exception messages can be ignored.

15.5.7 System Messages

This section describes bugs relating to messages generated by the system that display to the end user. This section contains the following topics:

15.5.7.1 System fails to display a warning dialog when canceling or navigating away from a create process

The system does not display a dialog with a meaningful message and successfully allows the user to navigate away from the create page. The user is not warned that he may lose data already entered.

15.5.7.2 No warning message when delegating a Business Role twice to the same person

When delegating a Business Role twice to the same person, the system successfully prevents repeat delegation, but no message displays to inform the user that the person already has been delegated that role.

15.6 Certification Information

The latest certification information for Oracle Role Manager 10g (10.1.4.2) is available at: